→ Our detailed article is suitable for non-technical readers. It covers: how the malware “calls home” to the crooks, how the encryption is done, which file types get scrambled, and what you see when the demand appears. You may want to keep the article open in another tab or window to refer to while you read this page.

WHAT DOES CRYPTOLOCKER LOOK LIKE?

CryptoLocker reveals itself only after it has scrambled your files, which it does only if it is online and has already identified you and your computer to the encryption server run by the criminals.

We therefore recommend that you don’t try the malware out yourself, even if you have a sample and a computer you don’t care about, because you can’t easily test it without letting your computer converse with the crooks.

However, we know you would love to see what it does and how it works, so here is a video made by a our friend and colleague Mark Rickus, of Sophos Support.

We recommend this video because Mark has pitched it perfectly: he doesn’t rush; he doesn’t talk down to you; he lets the facts speak for themselves; and he brings an air of calm authority with just a touch of wry humour to what is a rather serious subject:

This program isn’t a replacement for your existing security software, because it doesn’t provide active protection (also known as on-access or real-time scanning), but that means it can co-exist with any active software you already have installed.

The Virus Removal Tool will load, update itself, and scan memory, in case you have malware that is already active.

Once it has checked for running malware, and got rid of it, then it scans your hard disk.

If it finds any malicious files, you can click a button to clean them up.

If CryptoLocker is running and has already popped up its payment demand page, you can still remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files – the contents are unrecoverable without the key, so you may as well delete them.

Even if you don’t have CryptoLocker, it is well worth scanning your computer for malware.

The criminals are known to be using existing malware infections as “backdoors” to copy CryptoLocker onto victims’ computers.

We assume their reasoning is that if you have existing, older malware that you haven’t spotted yet, you probably won’t spot CryptoLocker either, and you probably won’t have backup – and that means they’re more likely to be able to squeeze you for money later on.

CAN CRYPTOLOCKER SPREAD ON MY NETWORK?

Fortunately, CryptoLocker is not a virus (self-replicating malware), so it doesn’t spread across your network by itself.

But it can affect your network, because it searches extensively for files to encrypt.

Remember that malware generally runs with the same permissions and powers as any program you choose to launch deliberately.

So, any file, on any drive letter or network share, that you can locate and access with a program such as Windows Explorer can be located and accessed by CryptoLocker.

That includes USB drives, network file shares, and even cloud storage folders that are made to appear as a drive letters by special software drivers.

A Naked Security reader just commented that from a single infected computer, he was “faced with 14,786 encrypted files over local and mapped network drives.”

So, if you haven’t reviewed the security settings on your network shares lately, this would be a good time to do so.

If you don’t need write access, make files and folders read only.

SHOULD I PAY UP?

We’ll follow the police’s advice here, and recommend that you do not pay up.

This sort of extortion – Demanding Money with Menaces, as a court would call it – is a serious crime.

Even though CryptoLocker uses payment methods (MoneyPak, Bitcoin) that keep you and the crooks at arm’s length, you are dealing with outright criminals here.

Of course, since we don’t have 14,786 encrypted files, like the reader we mentioned above, we acknowledge that it may be easier for us to say, “Don’t pay” than it is for you to give up on your data.

Obviously, we can’t advise you on how likely it is that you will get your data back if you do decide to pay.

IS IT THE WORST VIRUS EVER?

We don’t think so, although that is cold comfort to those who have lost data this time round.

Losing files completely is a terrible blow, but you can lose data in lots of other ways: a dropped hard disk, a stolen laptop or just plain old electronic failure.

The silver lining with CryptoLocker is that the criminals don’t actually take your data – they just leave it locked up where it was before, and offer to sell you the key.

In many ways, malware that isn’t so obvious and agressive, but which steals your files, or monitors your keyboard while you login to your bank, or takes snapshots of your screen while you’re filling out your tax return, can be much worse.

In those cases, the crooks end up with their own duplicate copies of your data, passwords and digital identity.

If you have a recent backup, you can recover from CryptoLocker with almost no consequences except the time lost restoring your files.

Identity theft, however, can be a lot harder to recover from – not least because you have to realise that it’s even happened before you can react.

Even if all you have on your computer is zombie malware of the sort that crooks use to send spam, doing nothing about it hurts everyone around you, and imposes a collective cost on all of us.

That’s why we are urging you to DO THESE 3 security steps, and TRY THESE 4 free tools, even if you haven’t been hit by CryptoLocker.

HOW DO I ENSURE THERE’S NO “NEXT TIME?”

Here are five “top tips” for keeping safe against malware in general, and cyberblackmailers in particular:

Keep regular backups of your important files. If you can, store your backups offline, for example in a safe-deposit box, where they can’t be affected in the event of an attack on your active files. Your backups will be rendered useless if they are scrambled by CryptoLocker along with the primary copies of the files.

Use an anti-virus, and keep it up to date. As far as we can see, many of the current victims of CryptoLocker were already infected with malware that they could have removed some time ago, thus preventing not only the CryptoLocker attack, but also any of the damage done by that earlier malware.

Keep your operating system and software up to date with patches. This lessens the chance of malware sneaking onto your computer unnoticed through security holes. The CryptoLocker authors didn’t need to use fancy intrusion techniques in their malware because they used other malware, that had already broken in, to open the door for them.

Review the access control settings on any network shares you have, whether at home or at work. Don’t grant yourself or anyone else write access to files that you only need to read. Don’t grant yourself any access at all to files that you don’t need to see – that stops malware seeing and stealing them, too.

Don’t give administrative privileges to your user accounts. Privileged accounts can “reach out” much further and more destructively both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

83 comments on “CryptoLocker ransomware – see how it works, learn about prevention, cleanup and recovery”

We experienced an infection last month from Cyptolocker. There was no way to reverse the encryption at that time. Has anyone come up with a way to reverse it now. I still have a client who has a NAS drive which has the data on it however nobody has been able to unencrypt it so the data is useless.

A unique RSA keypair is generated for your computer on the crooks' server.

The crooks send the public key to your computer for the malware to use when locking your files; the private key needed to reverse the process is kept on their server.

I dont think anyone has found any sort of implementation error, hole, backdoor, shortcut, or whatever in the cryptography used by the crooks. If you use standard crypto procedures and don't try to invent your own, it's not that hard to get it right.

The functional detail of the malware is covered in a bit more detail (seven steps to disaster 🙂 in this article:

According to Reddit the list has expanded now. It also covers all PDF files and more. Best practice is to backup on an external drive that's not connected to the comp. It seems like they are still honoring decryptions.

Good point – the list in our earlier article is precise *for that exact variant of the malware*, but new variants with altered operational details are easily made.

So the list is more of an advisory or a reminder (notably that this thing attacks a lot of important stuff!) than a specification.

Having said that, the list I linked to already included pretty much any MS Office file type, and IIRC all the various Adobe Creative Suite file types, so for most users it's going to end in tears anyway, with or without *.pdf on the list 😦

sorry this is very late but this thing happened to my phone this week and I don’t even know what I pressed so I was reading about this things on your page which gives me a little hope about this. But my phone was not on service so I only use it when I had WI-FI so does it still affect my info? I would really appreciate your feed back

I'm about 99.9% sure that's not true, you can encrypt anything, even an already encrypted file, that doesn't necessarily make it more secure though, in some cases you can apply some very advanced math to decrypt a file without using all the algorithm-layers used to initially encrypt the file.

long story short: backup to an ext. drive disconnected from your computer, or even beter, use a proper anti-virus and keep it up to date, also use adblocker and just don't visit weird websites if you don't know what you're doing

I am an amateur,and long time subscriber and user. I did watch the video, but am a Mac user; never had a PC. What are the dangers with a Mac? I assume the same, but would be nice to see a video using a Mac as well.

This malware strain is Windows only, so the danger of a Mac getting *infected* by this variant of CryptoLocker itself is nil, assuming you don't dual-boot or run Windows in a virtual machine, of course.

Nevertheless, if you've got file sharing turned on, your OS X Mac might get *affected* if a Windows user to whom you have granted access gets infected. His CryptoLocker program might trash some of the files on your disk. That's why we're advising you to check your file sharing permissions – a good thing to do from time to time anyway.

(We've got some videos showing Mac malware round and about on our site…if you search for "Mac malware" or "Mac malware video" you'll come across some items that might be of interest…but fortunately nothing quite on this scale, at least so far.)

Is their any way to find the servers which they are using?
Names of servers seems to be random is it encrypted or really registred as that name?
I think this is one of the desctructive malwares of moderns days.

The names are random (well, pseudrandom) and look like garbage. The idea is that the crooks only have to have one of them working each day, and your CryptoLocker "client" will eventually get through, call home, and that's that.

If you see a load of wacky DNS requests, as detailed in the article above, coming from your PC, I suggest that you disconnect from the network, get hold of the Virus Removal Tool on another PC, copy it to a USB key and use it to scan the offline computer…as long as it doesn't successfully call home, it won't trigger, since it needs the public key to encrypt the files.

In practice, however, since it tries one name per second and (IIRC) there are 1000 names in the list for each day, it's as good as guaranteed to get through in under 20 minutes (1000" = 16'40"), even if the crooks only register one domain and it's the last one in the list.

I have visited many of their websites. IT seems they are all in Russia and the Ukraine. Also according to virustotal 38/48 virus scanners can pick up the latest variant. So if you have an up to date virus scan such as Avira, Sophos, Symantec, McAfee, Kaspersky, MBAM Pro or MSE it will nearly always pick it up.

thanks for the information bearing this in mind I now have a program that encrypts and hides all files and puts them into a safety vault and removes it from explorer so as not to be visible, however there are some drawbacks you need to remember what the vault is called otherwise you can lose all your files .if at anytime you forget the password and or enter it incorrectly all files are deleted from the drive including the vault. scarey stuff , so always a good idea to have a stand alone drive with backups of all your files.

Theoretically, the malware would take your already encrypted files and encrypt them again with the new key. This would be true only if the file extension of the encrypted file was one it was looking for.

I'm not a VSS afficionado, but from how I think it works and what it does, then if you have a shadow copy that was made before the malware triggered, you basically have a backup containing unencrypted copies of all the files that got trashed, right? Which is surely just what you need?

As far as I aw aware, trashing a DOC file with CryptoLocker is pretty much the same, programmatically, as opening it in Word, overwriting it with garbage, and saving it.

A shadow copy, *if you have one from a suitable time in the past*, can recover files trashed by human blunder, so why not by CryptoLocker malevolence?

But clean up the malware on your network first- see @Paul's comment below for why 🙂

Assuming vss is enabled and the recovery snapshots are not corrupted (they do get corruption from time to time, unrelated to the malware), then once the malware is removed from the system you could recover your files. But vss is not a substitute for backups. Encryption is not the same as opening a file and overwriting it with garbage and saving it, but the net effect to you the user is the same.

Other variants may have a different list, so damage may vary somewhat. But it doesn't smash every file – notably, the operating system and you software files are mostly left alone, so that your computer keeps working.

The crooks don't want to kill your computer completely – since you need to be online to pay them the money, zapping *all* your files would kill the goose that was about to lay the golden Bitcoins 🙂

I have spent the whole week dealing with this.
Encrypted files are safe !!
We didn't know a computer had a virus and every time we restored a Backup within a couple of hours it was knackered again.
We found the virus by chance by looking at open shares on the server and 1 PC had about 100 files open, but the user wasn't there and I had rebooted the server since they had left.
Once we pulled this off of the network we could use previous backups and restore points, BUT only from before that PC had been infected.
The backups and restore points were still working with the encrypted files. Therefore we were restoring encrypted data.

Long answer, "It might just be possible, but you'd have to negotiate with the crooks, and trust that they were lying when they said that they would delete your decryption key permanently after 72 hours."

Short answer, "No."

See the section "CryptoLocker – what is it?", and also look at the explanation here:

Does the software prompt with the demands the instant it retrieves a key pair, after a certain time spent encrypting, or after it cannot find any more files to encrypt?

It's worth knowing, as users should be aware if immediately powering down a system once spotting this prompt will at least minimise the damage. From the video it appeared as thought it was still using a fair amount of CPU time making me think encryption was ongoing after the prompt.

AFAIK, it displays the pay page as soon as it can, whether it's finished encrypting or not.

So if you see the pay page, I don't think it would do any harm to shut down immediately, boot from a recovery CD (Sophos Bootable Anti-Virus would do the trick) and try to extract your important files to an external drive – if you don't have a backup you might be able to save some of your work even at this late stage.

Assume the worst, though. Don't rely on this approach to leave anything behind…the encryption itself doesn't require a huge amount of work, at least on the local drive, so it happens pretty quickly.

I had the same issue with someone else. I figured a known-plaintext would work, or something similar (since I already had a backup of a file that had been affected by the virus), but not against the RSA algorithm, apparently. Or so I’ve read.

What you're thinking of is a known plaintext attack, but those don't work if you implement the encryption "by the book" (whether you use public key encryption, traditional secret key encryption, or both).

Can anyone (that's not a criminal) confirm they have actually recovered files by paying the ransom?
We spoke to Action Fraud a UK government helpline (0300 123 2040) the chap I spoke to had about 10 callers with the virus, 3 had paid but did not get data restored. He didn't know of anyone that had.

Many accounts say yes, it usually takes up to 48 hours for them to confirm that they received payment. In addition to unencrypting your files, it installs a process on your computer preventing re-infection

If that last part is correct, is it not possible to discover how to replicate their process for preventing re-infection? If a group of devoted security researchers paid the ransom studied the process that prevents re-infection. Compared results, they could eventually create a algorithm for creating these re-infection processes and sell it to a anti-virus company for a lot of money.

We have just been hit with this malware monday night and I will have to say that it is a nightmare! It encrypted about 80gb of data (pictures,word,excel,ppt) We have a kaspersky antivirus server and i am extremly upset it didn't detect it. The computer infected had mutliple drives in a file server and it encrypted all the files that the user had access to. At this point I am debating if i should pay the $300. If I come to a solution I will post it.

Sorry to hear that Kaspersky missed it. (I'll not be gloating. You win some, you lose some.) Sounds as though the user might have had more write access than strictly necessary – could be a good time, when this is done and dusted, to review how broadly you allow write access to files.

If you give user X write access to 100,000 files of which they'll only change 2 or 3 a month, it's probably worth giving them write access to 0 files and editng their access when it's really needed.

I can say that at least at some point in the past, paying did get your files unencrypted. Someone I know ended up paying and got access back to all files. We backed them up and then wiped the hard drive before allowing just the files to be restored.

This is not true. Payment does get the files unlocked and is the only reasonable step if you have a large number of files affected. We had 300GB of client files affected by cryptolocker. It took approx. 10 hours to decrypt all of them, but it did work.

They're easy to use and store. With USB3 I can transfer up to 3GB/minute from my Mac to the external disk, so even backing up things like 20GB virtual machine files and rendered videos is a quick process.

They're easy to store off-site, too. And if you use a regular filing system (e.g. NTFS, Mac HFS+) you can easily encrypt the whole disk so you know that it can't easily be viewed by unauthorised users.

System restore does not backup data, only system related files and configuration information. You should make an image backup of your entire system as a matter of best practice and then do a file backup and retain them at least a couple of weeks. Don’t leave the backup drive connected to the computer when not actually backing up.

Thanks for the video. Does anyone know what image file the malware drops onto the desktop?
If you watch the video closely at 4:31, right after it changes the deskop background, it drops a randomly named image.
Is it a list of files it encrypted for the user to "verify"?

In reference of the post I made two days ago in here. It is confirmed in my case that after paying the $300 to Cryptolocker through MoneyPak worked, it took about a day to process the payment and another day to decrypt all the files back to its original state… I then disconnected the computer infected keeping it away from the network and made a backup on an external hd to scan and verify the integrity of the documents (pdf, word, excel etc) before putting it back up on the file server. The only reason I payed them is because I did not have recent backup of the encrypted files. =/ So people I learned my lesson check that your backups are ok so you can

Sadly it appears to most that the bad guys in this case wrote a real RSA public/private key encryption program. No Private key, no decryption. So there won't be any magic remedy, although I can picture someone CLAIMING that ability for even more $.

My father works with an IT group, and started there recently. The company did not have a Backup, or anything else to prevent this program from destroying several clients' data, which spells death for a company whose main source of income is data storage. Paying up was literally their only option, and the decryption program they use will stop running completely if it encounters a file it can't decrypt,requiring you to restart the decryption process. It was a nightmare to deal with and a train wreck to observe.

I work for a small mortgage company that has been around for over 25 years. We have about 10 years of files on a server, and unfortunately, NO BACK UP! We have paid the ransom today in the hopes of having our files returned decrypted as we cannot even fathom or chance losing all of our files. We also in the last couple of years went paperless, so you can see our desperation. I will keep you posted regardless! Starting over from scratch is just not an option…

I hope the FBI can catch these guys…And would love any suggestions on how to deal with the aftermath.

If your company allow access to web sites then i assume it was downloaded from it because all my 3 encounters were from Clicksor sponsored and ad marketed sites. Did the ransom image stated you been doing illegal activities and pretending they were from federal? The only way to get system back is buy MoneyPak then input the code?

Is it really so difficult to trace where these payments are going? Arms length is one thing, felony extortion is another. I would say it is possible to trace the payment if law enforcement knows about it from the start. Someone has to be the steady recipient of this money.

I agree. I know that Bitcoin is, in theory, untraceable but we're talking national intelligence agencies. I don't buy for one minute they're that incompetent. If they wanted to catch the extortionists, they could.

If the malware continues to encrypt after you notice it, then use a sacrificial file and then you have a before and after. In theory, how many files are needed to reconstruct a key after some number-crunching [which could take a VERY long time, but still less than infinite time to never recover dead files].

Talk about “damned if you do, damned if you don’t”, there’s no guarantee that the files recovered are actually infection or corruption free.
You might pay up and find a month down the road that files have subtle errors.

I have read around where Windows System Restore will be able to restore the files that were encrypted to its original state. If that is the case, then softwares that perform instant restore such as RollBack Rx should be able to restore the system and its files to state before the infection, yes? or am I missing some crucial cryptography component that will even locks down such restore options?

I have also got this problem, several file servers have hundreds of files on them that I cannot access due to encryption.
The pc on the network that had the warning notice does no longer have it so I am unable to pay if I wanted to.

Can anyone please advise how if I wanted to pay for the un-encryption I could pay.

Most of these answers suggest paying up and sound like they’re very much supportive of this type of filthy rotten crook and making this rubish sound so sophisticated.

My suggestion is before you pay a cent contact:
http://www.fbi.gov/contact-us/
http://www.actionfraud.police.uk/report_fraud

…or the authority in your Country and ask them what they suggest. If the money can be digitally transfered then surely it can be digitally traced? Someone has to receive it and the authorities have the technology and the authority to demand who does.

If I encrypt a document with a file type on the Cryptolocker list, will that file be visible to cryptolocker and be encrypted again?
I suspect that a file that I encrypt is still listed in the MFT and would be found by cryptolocker.

If CryptoLocker can open, read and write the file using the Windows API, then it can encrypt it for its own purposes, regardless of whether it was encrypted before. As far as I am aware, it decides whether to try rewriting a file based only on its extension.

Well, the servers and domain names move around all the time…and how do you trace someone’s IP number if they registered via a proxy on some home user’s zombified PC?

Not saying it can’t be done, just (sadly) that as so often happens, all the rules that squeeze legitimate users to give up loads of PII in return for getting online services (it’s not as though collecting all that stuff puts us at any risk if there’s a breach, and it’s not as though breaches happen very often, ha!) doesn’t put a whole lot of strain on the crooks 😦